nickb800:Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

Yep, it's exactly the same deal because you can't have confidence in the integrity of the iframe once it's been embedded in an HTTP page - how do you know it's a secure page in there and not an attacker's? Here's a demo of that too: http://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html

Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

Yeah it would, it totally negates the whole point of a SSL cert when you dont get the padlock and cert information in the address bar. You cant really expect users to go digging into code and hoping that the iframe they find is actually the one that is onscreen before entering their details.

Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

As far as I'm aware, Fairfax sold Trade Me after a while.

A friend who's a chief reporter at one of their papers said they don't own Trade Me now too.

I remember in the Trade me early years, and emailing Trade Me about HTTPS/SSL because for a while, they didn't secure the log in either. I refused to use it until it bounced to a secure site on log in then back again.

timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

This is still not OK. If you can MITM that connection, and the main page isn't over https, you can simply rewrite the URL for that iframe when your victim is fetching the main page. (And then redirect it to your own page that looks exactly like the iframe, save the data and then either show an error message or silently redirect the data they entered to the proper page)